Shielded CSV 🛡️

Private and Efficient

Client-Side Validation

Jonas Nick

Liam Eagen

Robin Linus

shieldedcsv.org

• Shielded CSV is a transaction protocol to create an L1 on top of a blockchain that allows embedding arbitrary data  (e.g., Bitcoin).
• It inherits double-spend security from the underlying blockchain.
• The amount of data embedded into the blockchain is 64 bytes.
• Coins and coin proofs are sent directly to the receiver through a private one-way communication channel.
• Coin proofs are succinct.
• Shielded CSV is fully private.

Summary

Motivation

1. A more efficient design for private cryptocurrencies
   • ZK proofs are not on the blockchain and are not verified by full nodes. Can be built on existing blockchain.
2. Improve privacy of Bitcoin.
   • Use Bitcoin as the underlying blockchain. Requires bridge (BitVM, one-way peg, federated peg, ...).

Toy CSV: 🐸 Issuance

👩‍🌾

Ivy

the Issuer

Toy CSV: Transaction

👩‍🌾

Ivy: 2 sat

Ivy

the Issuer

On-Chain

Off-Chain

Roy

the Receiver

🧑‍🎤

Ivy: 10 🐸

Comparing CSV

What is CSV really?

1. Derive short piece of data ("nullifier") from the CSV transaction.
2. Post nullifier to blockchain to prevent double-spending.

Taking CSV seriously

Shielded CSV: Definitions

• CSV Transaction: similar to Bitcoin transactions. Consist of inputs and outputs.

• Coin: Tx output. Consists of amount & public key.
• CoinID: Tx hash & coin index. Tx inputs contain CoinIDs.
• Coin Proof: History of transactions connecting to issuance transactions.

Preventing Double Spending

👩‍🚀

Preventing Double Spending

Preventing Double Spending

This design does prevent double spending with only a small nullifier!

• Problem: Insecure! Anyone can nullify any coin.
  • Solution: Add signature to nullifier.
• Inefficiency: One nullifier per spent coin.
  • Solution: Introduce "accounts", a special type of TXO.
  • Result: one nullifier per account state update that can spend an arbitrary number of coins.

• Problem: Posting nullifiers requires a dedicated on-chain tx.

  • Solution: Publishers collect nullifiers and post them all at once with a single on-chain tx. Anyone can become a publisher.

Towards 64-bytes Nullifiers

(insecure, one nullifier per coin)

👩‍🚀

🧑‍🎤

Block i

Succinct & Private Coin Proofs

Proof-Carrying Data (PCD) [2010]

• πᵢ: proof that the entire preceding computation graph is correct.
  • Size and Verification time independent of graph size.
  • Zero-Knowledge for incoming inputs and and outputs.
• PCD can be instantiated with recursive SNARKs or Folding schemes.

Proof-Carrying Data (PCD) [2010]

🖥️

🖥️

🖥️

Local Input

Local Input

Local Input

Output

Output

Output

Output

, π₁

, π₂

, π₃

, π₄

• 🖥️: Shielded CSV transaction
• Output: Account state or coin
• Local Input: Account update proofs, etc
• πᵢ: Coin proof

Shielded CSV Coin Proofs

👩‍🚀

Local Input

AcctState

Coin

, π₁

, π₂

• Coin proof π₄ proves to Roy that all transactions are correct and have been nullified
  • succinct and ZK
• Why PCD? Framework abstracts away some of the complexity.

Shielded CSV is ...

• an instantiation of PCD,
• the definition of correct computation in PCD,
  • we specify this in Rust,
• a spec for how the nullifier key-value store is updated.

This was just a tiny glimpse of the paper

• Blockchain reorganizations
• "Trustless" Publishing & Fees
• Security definitions of the primitives (accumulators, etc.)
• t-of-n Shared Accounts
• Atomic Swaps
• Wallet State
• Nullifier Accumulator based on Merkle Tree of Merkle Trees
• ...

Future Work

• More complete specification & test vectors
• Instantiation of primitives
• BitVM (?) Bridging
• Communication channels / UX
• Other drawbacks of CSV paradigm?
• "mempool"
• Efficient timelocks
• Payment channels
• Light clients
• Scriptable spending policies
• ...

shieldedcsv.org